I’ve seen people advocating for both options, but since I’m still new to Linux I’m not sure what to do. I’m currently installing Mint on my laptop to try it out, and I’m not sure if I should enable secure boot or not.
I’ve seen people advocating for both options, but since I’m still new to Linux I’m not sure what to do. I’m currently installing Mint on my laptop to try it out, and I’m not sure if I should enable secure boot or not.
If you’re not actually going to be engaging in securing anything with it, just leave it off to avoid issues.
Linux supports secure boot so if a distro supports it it’s worth using it.
Linux can use a key signed by Microsoft in a preboot loader and then itself perform its own key authentications for all other processes and software (a shim), forming a secure chain from the BIOS up during boot. You dont have to play with creating your own keys.
So if your OS supports secure boot it is worth using it for added security at boot. Its far from perfect in this set up (as there are plenty of windows OS that also have permission to boot) but it is better than a free for all without it even if the risk is low for most desktop users.
You can go further and generate your own keys and use secure boot and TPM together to lock down the system further but you dont have to to get some benefits from secure boot.
That’s not the question though. This is an average user installing Mint. They’re probably not enrolling disk encryption with TPM values or SB certs, they’re literally asking if it’s going to help them by default, and the answer is no. Now, if they were asking how they could increase system security with Secure Boot, I’d answer differently.
deleted by creator
Lol, explain how? Are you using TPM values to actually secure anything? If not, then it’s literally doing nothing for you.
Its not doing nothing. Linux uses a Microsoft provided key for initial BIOS authentication and then has its own tree of keys that it uses for security. So it does have the benefits of locking out malicious code/processes evenninna default set up.
Using your own secure boot and TPM keys is certainly more secure, but it doesnt follow that secure boot with the default set up is doing nothing to help secure your system at boot.
No idea where you got this understanding from, but it’s not accurate. In your example, if a distro has signed binaries, then it will work to verify code loaded during the boot process to help to verify system integrity. As OP asked about Mint, yes it technically does have signed pre boot and boot signed modules.
No, this will not prevent all code/processes that aren’t signed from running. That’s a ludicrous statement. It will prevent unsigned kernel modules from being loaded (see Nvidia’s MOK process), and it will prevent a disk from being hit with sideload attacks perhaps (it should be encrypted anyway), but it absolutely does not prevent a user from running unsigned code, or even using root privs to run harmful code (like running random scripts from GitHub).
So at the end of the day does it help a standard user with security? I would argue no. As I said elsewhere, if this question were about HOW to improve security with SB, I’d have a different answer, but that’s not the question OP asked.
You don’t know what you are talking about